Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / f3c40f83fbfc6fb60ba5608ccfbd00fb51e6f9b3^! / .
commitf3c40f83fbfc6fb60ba5608ccfbd00fb51e6f9b3[log] [tgz]
authorAmaury Denoyelle <adenoyelle@haproxy.com>Fri Sep 30 17:37:38 2022 +0200
committerAmaury Denoyelle <adenoyelle@haproxy.com>Mon Oct 03 16:25:17 2022 +0200
tree4f72b509bce21d5f31f86803cce46b00a3a2fddf
parenta19bb6f0b2af1971775e4a88edfaed85d42162c6 [diff]
BUG/MINOR: quic: adjust quic_tls prototypes

Two prototypes in quic_tls module were not identical to the actual
function definition.

* quic_tls_decrypt2() : the second argument const attribute is not
  present, to be able to use it with EVP_CIPHER_CTX_ctlr(). As a
  consequence of this change, token field of quic_rx_packet is now
  declared as non-const.

* quic_tls_generate_retry_integrity_tag() : the second argument type
  differ between the two. Adjust this by fixing it to as unsigned char
  to match EVP_EncryptUpdate() SSL function.

This situation did not seem to have any visible effect. However, this is
clearly an undefined behavior and should be treated as a bug.

This should be backported up to 2.6.

diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h
index dc2651f..4045896 100644
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h

@@ -50,7 +50,7 @@
                      const unsigned char *key, const unsigned char *iv);
 
 int quic_tls_decrypt2(unsigned char *out,
-                      const unsigned char *in, size_t ilen,
+                      unsigned char *in, size_t ilen,
                       unsigned char *aad, size_t aad_len,
                       EVP_CIPHER_CTX *ctx, const EVP_CIPHER *aead,
                       const unsigned char *key, const unsigned char *iv);
@@ -60,7 +60,7 @@
                      EVP_CIPHER_CTX *tls_ctx, const EVP_CIPHER *aead,
                      const unsigned char *key, const unsigned char *iv);
 
-int quic_tls_generate_retry_integrity_tag(unsigned char *odcid, size_t odcid_len,
+int quic_tls_generate_retry_integrity_tag(unsigned char *odcid, unsigned char odcid_len,
                                           unsigned char *buf, size_t len,
                                           const struct quic_version *qv);
 

diff --git a/include/haproxy/xprt_quic-t.h b/include/haproxy/xprt_quic-t.h
index 9af3cc6..e7aefea 100644
--- a/include/haproxy/xprt_quic-t.h
+++ b/include/haproxy/xprt_quic-t.h

@@ -403,7 +403,7 @@
 	/* Packet number length */
 	uint32_t pnl;
 	uint64_t token_len;
-	const unsigned char *token;
+	unsigned char *token;
 	/* Packet length */
 	uint64_t len;
 	/* Packet length before decryption */

diff --git a/src/quic_tls.c b/src/quic_tls.c
index 14b7e16..28c7d75 100644
--- a/src/quic_tls.c
+++ b/src/quic_tls.c

@@ -1,3 +1,5 @@
+#include <haproxy/quic_tls.h>
+
 #include <string.h>
 
 #include <openssl/ssl.h>

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 042bd17..072fa3c 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c

@@ -5433,7 +5433,7 @@
  * of client source connection ID.
  * Return 1 if succeeded, 0 if not.
  */
-static int quic_retry_token_check(const unsigned char *token, size_t tokenlen,
+static int quic_retry_token_check(unsigned char *token, size_t tokenlen,
                                   const struct quic_version *qv,
                                   struct quic_cid *odcid,
                                   const struct quic_cid *dcid,